Meraki

Community

What is needed to use active directory to authorize users on a mx67

Solved
Mr_Bill
Here to help
‎Apr 10 2020 8:33 PM
‎Apr 10 2020 8:33 PM

What is needed to use active directory to authorize users on a mx67

New user; I have mx67, ms120, windows server 2016 running active directory and dns.

Is that enough to run client vpn and authorize users or do I need additional stuff on the windows 2016 server?

"3:27:21.633548 IP 166.173.59.91.33506 > 162.233.197.233.1701: l2tp:[TLS](24253/12933)Ns=4,Nr=3 *MSGTYPE(CDN) *ASSND_SESS_ID(12055) *RESULT_CODE(768/0 )" is the last message in a packet trace before I get "authentication failed" message.

 

 

0 Kudos
1 Accepted Solution
In response to PhilipDAth
Mr_Bill
Here to help
‎Apr 12 2020 3:00 PM
‎Apr 12 2020 3:00 PM

I was getting authorization failed. Turns out submitting username as domain\username instead of username@domainname was the problem. I knew it had to be something simple. On to the next set of challenges.

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 10 2020 9:14 PM
‎Apr 10 2020 9:14 PM

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc... 

0 Kudos
In response to PhilipDAth
Mr_Bill
Here to help
‎Apr 12 2020 11:39 AM
‎Apr 12 2020 11:39 AM

Thank you, I have reviewed the document step by step for the past week. My experience says it has to be something simple/basic at this point. Does the fact that I have one clan (vlan 0) for everything? No errors on the AD server. Packet capture shows traffic to and from the domain controller on port 3268 but I don't really know what I looking at beyond the traffic is there.

 

Currently, Active Directory-based authentication works only if one of the following is true:

  • The Domain Controller is in a VLAN configured on the appliance
  • The Domain Controller is in a subnet for which a static route is configured on the appliance
  • The Domain Controller is accessible through the VPN.

If there are multiple Domain Controllers in the domain, all of them must meet one of these criteria in order for Active Directory integration to function properly.

 

I think I have satisfied the above requirement because packet capture shows traffic between the  device on the wan port (IPHONE connected to let network) and Lan device (Domain Controller).

 

Meraki cloud Authentication works but it is not the best solution for my network because I have applications running on the network that will be accessed by outside vendors that I eventually will want to separate them on to a separate vlan.

 

I have to be missing something probably simple.

 

0 Kudos
In response to Mr_Bill
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 12 2020 1:15 PM
‎Apr 12 2020 1:15 PM

What is actually wrong?  What is not working?  What error messages and codes do you get?

In response to PhilipDAth
Mr_Bill
Here to help
‎Apr 12 2020 3:00 PM
‎Apr 12 2020 3:00 PM

I was getting authorization failed. Turns out submitting username as domain\username instead of username@domainname was the problem. I knew it had to be something simple. On to the next set of challenges.
In response to Mr_Bill
QLSteve
Getting noticed
‎Apr 13 2020 3:21 PM
‎Apr 13 2020 3:21 PM

Congrats and off to the next issue!  Life in IT...

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.